I contacted 3APA3A, who contacted the original researcher, and an exploit
is now in the developer's hands. I did some cursory analysis and 3APA3A
did some more extensive followup that suggests there is a real issue, but
I'll wait to post details until we hear back from the developer.
- Steve